Children's data hacked after school software firm missed basic security step, internal report says

Yahoo

31-01-2025

The hack of a company that helps schools track tens of millions of students appears to be the largest breach of American children's personal information to date, school officials and cybersecurity experts say.
And a specially commissioned interim cybersecurity audit by cybersecurity company CrowdStrike showed that the company had apparently failed to take basic precautions to protect students' data, according to a copy exclusively obtained by NBC News and records of internal discussions.
The company, PowerSchool, is best known for its Student Information System (SIS), one of the most widely used education tech programs in the U.S., and one of the breached systems. The SIS software helps school districts keep track of K-12 students, collecting information like their name, school, birthday, address and parent or guardian. Many districts go further and add information like their Social Security number, health concerns or disciplinary records.
Theft of children's data is regarded as particularly egregious, as they usually have no agency in how it's protected. It can be difficult to draw a direct line from a particular data breach to a given instance of identity theft, as cybercriminals repeatedly repackage and resell victims' information. But identity theft cost Americans around $43 billion in 2023, according to a 2024 study by AARP.
'We recognize the significance of this incident and are deeply regretful that it occurred,' Beth Keebler, a PowerSchool spokesperson, said in an emailed statement. 'PowerSchool has significantly invested in its cybersecurity program, culture, and talent over the years — this has been a diligent and continuous area of focus and one the Company plans to continue to invest in.'
Cybercriminals who steal sensitive data often threaten to publish it if they're not paid a ransom. PowerSchool declined to comment to NBC News about any extortion demand or payment. But in a private virtual briefing with customers, the company's chief information officer, Mishka McCowan, said the company had paid the hacker and received a video of them appearing to delete the stolen data, a person who attended the call told NBC News.
Cybersecurity experts caution that cybercriminals can backtrack on promises not to release data, and it's impossible to verify that the hacker didn't make backup copies.
In December, a hacker gained what appears to be full access to the SIS information of those schools that had used customer support. While not the entirety of PowerSchool's customer base, the breach appeared to expose the data of tens of millions of American children. While exact numbers are still unclear, the hacker has claimed the figure to be 62 million. That figure was first reported by the tech news site Bleeping Computer.
As of Thursday, the breached data did not appear to be publicly available online.
Private assessments of the hack show the company failed to take basic steps to protect students' data. PowerSchool hired the cybersecurity firm CrowdStrike to help investigate the breach. An interim report prepared by CrowdStrike and disseminated to some school officials, the contents of which had not previously been public and which was acquired by NBC News, found no evidence that the hackers used malware or found a backdoor into PowerSchool's systems. Instead, the hacker simply obtained a single employee's password. That granted access to a 'Maintenance Access' function that let them download millions of children's personal information.
According to the CrowdStrike report, the company was not even aware that it had been the victim of such a massive hack until late December, several days after it happened, when the hacker contacted the company to inform it and ask for a payment.
CrowdStrike declined to comment, in line with industry practice.
In a private online chat that included company executives and school representatives, an executive admitted that the hackers were able to access and download the student records by logging into one account that didn't have two-factor authentication enabled, one of the most basic cybersecurity standards for any account, particularly one that has access to sensitive information. One participant, who requested not to be named, took a screenshot of the chat and shared it with NBC News.
Bill Fitzgerald, an independent security consultant for schools, said that was an example of poor security, though not uncommon in the EdTech industry.
'If you're not enforcing multifactor authentication, that's just not best practice,' Fitzgerald told NBC News. 'But this happens all the time.'
Doug Levin, the national director of K12 SIX, an industry nonprofit devoted to helping schools guard themselves from hackers, blamed lax cybersecurity standards across what's referred to as EdTech, the industry of education-focused technology that schools increasingly rely on, especially since the Covid-19 pandemic. Levin told NBC News that the hack and the lack of safeguards were both extreme but still emblematic of the industry.
'For a sector so integral to the American way of life, it is unconscionable that neither K-12 schools — nor their vendors — are held to a cybersecurity standard of practice,' he said, referencing cybersecurity issues that plague the sector. 'This incident is unique both for its scope and the sensitivity of the data.'
PowerSchool declined to share specifics on how many students were affected by the hack, citing its ongoing investigation, but a spokesperson said the company was confident the number of students whose Social Security numbers were compromised was less than 25% — a figure that could still reach into the tens of millions.
Terry Loftus, the chief information officer for the San Diego County Office of Education, where seven districts are PowerSchool customers, told NBC News he was particularly concerned about hackers accessing additional student information that some school districts include in SIS.
'We may be talking about disabilities and what supports are being put in place for special education students,' Loftus said. 'This is massively sensitive, and something that's of high value to threat actors, as far as reselling to various nefarious groups or data brokers.'
'As it stands right now or as it appears, unless we hear otherwise, this will likely ultimately be the largest breach of K-12 students,' he told NBC News.
In some cases, former students' information was also in the PowerSchool program and their personal information was stolen as well, the company said in a press release.
There is no formal public accounting of PowerSchool's reach, but it has statewide contracts with Alabama, North Carolina and South Carolina, though use of the SIS software can vary within a state. Other states where schools have warned students and parents about the PowerSchool breach include Alaska, Arizona, California, Colorado, Connecticut, Delaware, Illinois, Indiana, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Utah, Wisconsin and Wyoming.
Georgia broadcaster 11Alive has estimated from the state's Department of Education figures that more than 230,000 current students in the state may have been affected.
In some cases, school districts have warned that the hackers stole remarkably specific information. Utah Schools for the Deaf and the Blind announced that the hackers gained access to not just students' names, birthdays and grades, but also their locker numbers and combinations and the balances in their lunch accounts.
Sarah Powazek, the director of the University of California, Berkeley's public interest cybersecurity program, which offers cybersecurity help to schools and other civic organizations that may not be able to afford it, said schools are in the unfortunate position of trusting companies like PowerSchool to protect their students' private information.
'School districts really have no control over this product, and it's not up to them whether or not PowerSchool itself is implementing the correct security procedures within their own organization. The schools are very much at the mercy of these educational technology products,' Powazek told NBC News.
Publicly, PowerSchool has said it takes pains to ensure high cybersecurity standards. In 2023, CEO Hardeep Gulati joined then-first lady Jill Biden at a White House event promoting EdTech cybersecurity. The company's website says it takes a litany of steps to protect kids' and teachers' data, including routine security audits and 'Extensive and ongoing security/cybersecurity training for all our employees.'
PowerSchool is a signatory to another pledge, created by the nonprofit Future of Privacy Forum, in which it promises to take a series of basic steps to protect students' information. A spokesperson for the Future of Privacy Forum told NBC News that PowerSchool's status as a signatory is currently under review for 'potential violations of the company's Student Privacy Pledge commitments.'
This article was originally published on NBCNews.com